Add sensitive_post_parameters decorator to several views

Author: maxim-kht

rest_auth/registration/views.py

@@ -1,5 +1,7 @@
-from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
+from django.utils.decorators import method_decorator
+from django.utils.translation import ugettext_lazy as _
+from django.views.decorators.debug import sensitive_post_parameters
 
 from rest_framework.views import APIView
 from rest_framework.response import Response
@@ -15,20 +17,27 @@
 from rest_auth.app_settings import (TokenSerializer,
                                     JWTSerializer,
                                     create_token)
+from rest_auth.models import TokenModel
 from rest_auth.registration.serializers import (SocialLoginSerializer,
                                                 VerifyEmailSerializer)
+from rest_auth.utils import jwt_encode
 from rest_auth.views import LoginView
-from rest_auth.models import TokenModel
 from .app_settings import RegisterSerializer
 
-from rest_auth.utils import jwt_encode
+sensitive_post_parameters_m = method_decorator(
+    sensitive_post_parameters('password1', 'password2')
+)
 
 
 class RegisterView(CreateAPIView):
     serializer_class = RegisterSerializer
     permission_classes = (AllowAny, )
     token_model = TokenModel
 
+    @sensitive_post_parameters_m
+    def dispatch(self, *args, **kwargs):
+        return super(RegisterView, self).dispatch(*args, **kwargs)
+
     def get_response_data(self, user):
         if allauth_settings.EMAIL_VERIFICATION == \
                 allauth_settings.EmailVerificationMethod.MANDATORY:

rest_auth/views.py

@@ -5,7 +5,9 @@
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.core.exceptions import ObjectDoesNotExist
+from django.utils.decorators import method_decorator
 from django.utils.translation import ugettext_lazy as _
+from django.views.decorators.debug import sensitive_post_parameters
 
 from rest_framework import status
 from rest_framework.views import APIView
@@ -21,6 +23,12 @@
 from .models import TokenModel
 from .utils import jwt_encode
 
+sensitive_post_parameters_m = method_decorator(
+    sensitive_post_parameters(
+        'password', 'old_password', 'new_password1', 'new_password2'
+    )
+)
+
 
 class LoginView(GenericAPIView):
     """
@@ -36,6 +44,10 @@ class LoginView(GenericAPIView):
     serializer_class = LoginSerializer
     token_model = TokenModel
 
+    @sensitive_post_parameters_m
+    def dispatch(self, *args, **kwargs):
+        return super(LoginView, self).dispatch(*args, **kwargs)
+
     def process_login(self):
         django_login(self.request, self.user)
 
@@ -176,6 +188,10 @@ class PasswordResetConfirmView(GenericAPIView):
     serializer_class = PasswordResetConfirmSerializer
     permission_classes = (AllowAny,)
 
+    @sensitive_post_parameters_m
+    def dispatch(self, *args, **kwargs):
+        return super(PasswordResetConfirmView, self).dispatch(*args, **kwargs)
+
     def post(self, request):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
@@ -195,6 +211,10 @@ class PasswordChangeView(GenericAPIView):
     serializer_class = PasswordChangeSerializer
     permission_classes = (IsAuthenticated,)
 
+    @sensitive_post_parameters_m
+    def dispatch(self, *args, **kwargs):
+        return super(PasswordChangeView, self).dispatch(*args, **kwargs)
+
     def post(self, request):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)